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Jones defines a name interpretation function f« that "maps the name 

space associated with environment K to the set of all objects." 

interpretation path 
f E : { names } >{ ob j ect s } 

Jones then states that: "Because name interpretation necessarily accompanies 
each exercise of a right, correlating the performance of name interpretation 
and protection checking will guarantee that all requisite checks are made 
in support of the Enforcement Rule." Now as Jones specifies protection 
checking can be performed: 

1. At the beginning of the name interpretation path, i.e., the site at 
which names are generated 

2. At the termination of the interpretation path, i.e., the side of 
the referenced object, or 

3. At an intermediate stage along the interpretation "path by referencing 
data structures not needed for name interpretation. 

The basic problem we face right now is relating these abstract ideas to 
specific objects in TJiXHX. -This memo simply suggest a couple of possibilities. 

A candidate for access site protection checking are the JSYS calls. If 
it is reasonable to consider each JSYS as an individual procedure (in a 
logical sense) then it is reasonable to associate an environment yith each 
JSYS (which ma)- also be passed rights in the fom of parameters) in order to 
encapsulate it. 

The TF-\T.X file system lends itself to protection checking both at the 
object site and along the way to the object l^i.e., along the interpretation 
path).- The TL\'KX file designator has the following form: 

device: --directory n..; .;e -1 ile nm^. extension; version number 
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There currently is some protection associated with directories and the file 
object itself. There are also some restriction on device usage, but this 
is because of their particular physical restriction rather than a protection 
consideration. I think it is reasonable to apply protection to each element 
in the name and when the JOB or process is given the handle on the file all 
other access to the file could be a right which is equivalent to the inter 1 
section of the rights encountered along the way to the object. For example, 
an extension may be one of the following: 

Extension Meaning 
.MAC MACRO- 10 source program 

.BAS BASIC program 

.F4 FORTRAN IV source program 

.REL relocatable object program 

.SAV ■ an executable object program 

So a read access from a text editor to a .SAV file should be stopped. 
Naturally, all this depends on the policies to be implemented. The format of 
file naming could possibly be the basis for the partitioning of files thus 
creating other types of objects. 

Tliis just represents a couple of ideas I wanted to get down, on paper 
and think about a little bit. 



